Many networks connect to other networks, such as the Internet, through a network address translator (“NAT”). A NAT maps Internet protocol (“IP”) addresses used by an internal network to IP addresses used by an external network, and vice versa. NATs were originally developed to overcome the 32-bit limitation of the IP addresses. An internal network may have thousands of computers that need access to an external network. If each computer (e.g., PDA and cell phone) in the world had its own IP address, then more than 32 bits may be needed to uniquely address all computers. An internal network may use a NAT to provide a single external IP address to the external networks and may provide an internal IP address for each computer of the internal network. All external computers would communicate with the internal network via the external IP address of the internal network. When an internal computer sends a communication via the NAT to an external computer, the NAT allocates an external port for that internal computer and maintains a mapping between an external port and internal computer. The NAT then forwards the communication to the destination external computer system from that external port. When the NAT receives a response to the communication on that external port, the NAT uses the mapping to identify the internal computer and then forwards the response to the internal computer.
A NAT is typically implemented as part of a firewall or other device that limits incoming communications from the external network that use suspect protocols. In particular, communications from the external network using these suspect protocols that are not a response to a communication initiated from the internal network are blocked by the NAT. The suspect protocols typically include TCP and UDP. One problem occurs when both the computers have their own NATs that block such communications. Since the NAT blocks non-responding communications, all communications sent by either computer will be blocked by the NAT. Thus, communication between an internal computer and the external computer using the suspect protocols is not possible when both have NATs that block non-responding communications that use the suspect protocols.
One solution that has been proposed for overcoming the limitations of a NAT is the Traversal Using Relay NAT (“TURN”) protocol as specified by Internet Engineering Task Force RFC 2026. The TURN protocol provides a means by which an internal computer can obtain a transport address (e.g., IP address and port) through which it can receive communications from any computer which can send packets to the public Internet. The TURN protocol accomplishes this by relaying communications via a relay server that is accessible via the public Internet.
FIG. 1 is a block diagram that illustrates the TURN protocol. In this example, client computer 110 communicates with client computer 120 via relay server 150. Client computer 110 has IP address 1 and is behind a NAT (not shown), and client computer 120 has IP address 2 and is also behind a NAT (not shown). To establish a connection with client computer 120 using a suspect protocol, client computer 110 first sends (1) from its port 1 to a well-known port (“WKP”) of the relay server a request to allocate a port. The relay server allocates port 1 and creates (2) a mapping between the transport address of the requesting client (i.e., IP address 1 and port 1) to the allocated port (i.e., port 2). The relay server then sends (3) the allocated port number to client computer 110. Upon receiving the allocated port number, client computer 110 forwards (4) the IP address of the relay server and the allocated port number to client computer 120 using a protocol through which client computer 120 can receive communications. For example, client computer 120 may be able to receive communications using the Session Initiation Protocol (“SIP”). When client computer 120 receives the allocated port number, it creates (5) a mapping between client computer 110 and the IP address of the relay server and the allocated port 1. Client computer 120 then sends (6) a communication to port 1 of the relay server. Upon receiving the communication, the relay server updates (7) its mapping to map the transport address (i.e., IP address 2 and port 1) of client computer 120 to the allocated port 1. The relay server then forwards (8) the communication to IP address 1 and port 1 as indicated by the mapping. Client computer 120 may similarly establish a connection with client computer 110 in an analogous manner. The relay server may allocate port 2 to the connection and create (9) a mapping from allocated port 2 that indicates that communications received on allocated port 2 are to be forwarded to client computer 120 (i.e., IP address 2 and port 1). Client computer 110 will then send communications to client computer 120 via port 2 of the relay server, and client computer 120 will then send communications to client computer 110 via port 1 of the relay server. Thus, two connections are established between each client pair of computers, and each connection is used unidirectionally.
A difficulty with the use of a TURN relay server is that many ports need to be allocated by the relay server. In the example of FIG. 1, a port was allocated so that client computer 110 could send communications to client computer 120, and another port was allocated so that client computer 120 could send communications to client computer 110. Thus, the relay server allocates two ports and creates two unidirectional connections for each pair of computers. If the client computers need to send multiple streams (e.g., video and audio), then the relay server would allocate two ports and thus two connections for each stream. Thus, the relay server would allocate four ports for a two-stream conference between a pair of client computers. Moreover, if a conference includes more than two client computers, then a connection for each stream would need to be established between a client computer and each other client computer. For example, if three client computers are to conduct a multimedia conference of audio and video, then each client computer would establish two connections with each other client computer via the relay server. To establish these connections, the relay server allocates four ports for each client computer system for a total of 12 allocated ports. FIG. 2 illustrates the allocation of ports for a three-party conference. Client computers 210, 220, and 230 have established connections through relay server 250. The circles illustrate the allocated ports. The relay server maintains a mapping between each allocated port and the source and destination endpoints (e.g., computer systems) that are connected via that port. The number of allocated ports would be doubled when a separate connection is needed for controlling information of each media stream. Thus, when a conference involves two media streams and three participants, the relay server would allocate 24 ports.
The risk of an attack of a computer system increases as the number of allocated ports increases. Also, the data storage requirements and processing requirements increase as the number of allocated ports increases. It would be desirable to have a technique for reducing the number of ports that a relay server needs to allocate for a multiparty conference.